[GitHub] [jena] kinow commented on a diff in pull request #1908: An allow list of function names

Thu, 15 Jun 2023 13:30:24 -0700 


kinow commented on code in PR #1908:
URL: https://github.com/apache/jena/pull/1908#discussion_r1231503330


##########
jena-arq/src/main/java/org/apache/jena/sparql/function/scripting/ScriptFunction.java:
##########
@@ -88,28 +94,65 @@ public static boolean isScriptFunction(String uri) {
         return langPart.endsWith(FUNCTION_SUFFIX);
     }
 
+    public ScriptFunction() { }
+
     @Override
     public void checkBuild(String uri, ExprList args) {
+        throw new IllegalStateException("ScriptFunction.checkBuild called");
+    }
+
+    @Override
+    public void build(String uri, ExprList args, Context cxt) {
         checkScriptingEnabled();
         if (!isScriptFunction(uri))
             throw new ExprException("Invalid URI: " + uri);
         String localPart = uri.substring(ARQ_NS.length());
         int separatorPos = localPart.indexOf('#');
         this.lang = localPart.substring(0, separatorPos - 
FUNCTION_SUFFIX.length());
         this.name = localPart.substring(separatorPos + 1);
-
-        // Check for bare names that are provided by the language e.g. 'eval' 
which
-        // is a JS and Python built-in function and always available.
-        if ( lang.toLowerCase(Locale.ROOT).contains("python") ) {
-            if ( Objects.equals("eval", name) || Objects.equals("exec", name) )
-                throw new ExprException(lang+" function '"+name+"' is not 
allowed");
-        } else {
-            // Assume javascript.
-            if ( Objects.equals("eval", name) )
-                throw new ExprException("JS function '"+name+"' is not 
allowed");
+        this.allowList = allowList(cxt, ARQ.symCustomFunctionScriptAllowList);
+
+        String cname = lang.toLowerCase(Locale.ROOT);
+        switch(cname) {
+            case "js":
+                // never allow these.
+                this.denyList = Set.of("eval", "load");
+                check(lang, name, allowList, denyList);
+                break;
+            case "python":
+                // never allow these.
+                this.denyList = Set.of("eval");

Review Comment:
   I don't know if there's a good list of functions and modules to sandbox in 
Python. Maybe `exec` too? It looks like it was removed in the diff above?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to